GDPR and Data Subject Requests
| Section |
Description |
| Feature Area |
Platform Operations / Compliance |
| Navigation |
API-based (Developer Center) — no dedicated Admin UI page |
| Alt Navigation (Audit Viewer) |
Admin → Troubleshooting → Audit Viewer (for change-event monitoring) |
| Primary Function |
Enable organizations to respond to data subject requests for access, rectification, and deletion of personal data under GDPR, CCPA, and similar regulations |
| Genesys Role |
Data Processor (under GDPR Article 28) — customers are the Data Controllers |
Study Notes
| Topic |
Explanation |
| GDPR |
General Data Protection Regulation — EU regulation protecting individuals' rights over their personal data |
| Data Subject |
The individual whose personal data is being processed — your contact center's customer |
| Data Controller |
The organization that determines how and why personal data is processed — your organization |
| Data Processor |
The vendor that processes data on behalf of the controller — Genesys Cloud |
| DPA |
Data Processing Agreement — a contract required under GDPR Article 28 between controller and processor; contact [email protected] |
| GDPR API |
Genesys Cloud's preferred self-service mechanism for customers to respond to data subject requests |
| Rate Limits |
The GDPR API is rate-limited — it is designed for individual requests, not bulk deletion |
| CCPA |
California Consumer Privacy Act — data subject rights are similar to GDPR; Genesys Cloud uses the same GDPR API to respond to CCPA requests |
| No enabling required |
GDPR compliance does not require any Genesys Cloud configuration to be enabled — the GDPR API is available to all customers |
| No GDPR certification |
No official GDPR certification exists for cloud providers; Genesys Cloud maintains compliance through independent reviews (HIPAA audits, etc.) |
The Three Fundamental Data Subject Rights (Relevant Articles)
| GDPR Article |
Right |
GDPR API Request Type |
| Article 15 |
Right of Access |
Export — retrieve all personal data Genesys Cloud holds for this subject |
| Article 16 |
Right to Rectification |
Update — correct/update personal data |
| Article 17 |
Right to Erasure ("Right to be Forgotten") |
Delete — remove or anonymize personal data |
When the request type is Delete, some services may anonymize personal data rather than fully delete it, depending on the service.
Processing happens asynchronously — the request is created and initiated but may not complete immediately.
GDPR API — Two Endpoints
1. Subjects Endpoint
Used to identify which subjects match a given search term before submitting a request.
| Attribute |
Detail |
| Purpose |
Find which individuals a search term matches — reduces risk of accidental data changes |
| Accepted search term types |
Name · Address · Phone number · Email address · Social media handle |
| Returns |
List of matching subjects — each is a userId, externalContactId, or dialerContactId |
| Best practice |
Always use subjects endpoint first before submitting a requests endpoint call |
2. Requests Endpoint
Used to initiate an actual GDPR request (Get, Export, Update, or Delete).
| Attribute |
Detail |
| Accepted search term types |
Name · Address · Phone · Email · Social media handle · User ID · External Contact ID · Dialer Contact ID |
| Request types |
Get · Export (Article 15) · Update (Article 16) · Delete (Article 17) |
| Multiple identifiers |
Submit one request per identifier — if a person has name + phone + email, submit three separate requests |
| ID resolution |
If a User ID or External Contact ID is provided, Genesys resolves it to the full record first |
| Processing |
Asynchronous |
Services That Require a Subject to Be Included
The following services require a subject (not just a search term) in the GDPR API request:
- Outbound Dialing
- Directory
- External Contacts
| Channel |
Searchable Fields |
| Twitter / X |
screenName (@ handle) · id (account ID) |
| Instagram |
scopedId · handle (username) |
| Facebook |
scopedId |
| Apple Messages for Business |
opaqueId (Apple-generated per-account identifier) |
File Attachments in ACD Interactions
Genesys Cloud does not search the contents of file attachments for personal data. Instead:
- A GDPR request using an External ID will find the conversation and any associated file attachments
- On a Delete request, associated file attachments are removed regardless of content
- Requirement: ACD interactions containing personal data in file attachments must be associated with a contact profile in External Contacts — otherwise they cannot be found via the GDPR API
If your org uses the single customer view (contact merging):
| Step |
Action |
| Subjects endpoint |
May return multiple External Contact IDs for the same person (same merge set) |
| Identify merge sets |
Use External Contacts API — fetch each contact and check canonicalContact field |
| Requests endpoint |
Submit only one request per merge set using the canonical contact ID |
| Behavior |
GDPR API automatically duplicates the request for each contact in the merge set |
| Related requests |
Each related request succeeds or fails independently — inspect each individually |
What Personal Data Should NOT Be Stored in Genesys Cloud
To ensure the GDPR API can locate and manage personal data correctly, avoid storing personal data in these locations:
| Location |
Why to Avoid |
| Architect flow names, descriptions, state names, task names, action names |
GDPR API cannot search these |
| Prompt text-to-speech values |
Not searchable |
| Directory personal status |
Not searchable via GDPR API |
| Custom attributes (unless associated with an External Contact) |
GDPR API cannot find data in custom variables unless linked to a contact |
Response Timeframes (Approximate)
| Request Type |
Approximate Processing Time |
| Access / Export (Article 15) |
1–2 days |
| Removal / Delete (Article 17) |
Up to 14 days |
These are approximate values. Actual times may vary.
Genesys Cloud's GDPR Governance Structure
| Role |
Responsibility |
| Chief Privacy Officer |
Oversees company-wide data privacy program |
| European Data Protection Officer (DPO) |
Oversees compliance with European data protection law |
| VP Security & GRC |
Security and regulatory compliance oversight |
| Security & Compliance team |
Holds IAPP (International Association of Privacy Professionals) certification |
GDPR and Other Regulations
| Regulation |
How Genesys Cloud Addresses It |
| GDPR (EU) |
GDPR API; data processor role; DPA available; IAPP-trained staff |
| CCPA (California) |
Same GDPR API handles CCPA data subject requests — no separate configuration needed |
| HIPAA |
Independent third-party audits |
| PCI DSS |
Secure call flows; recording controls; policy exclusions |
| HDS (France) |
Genesys Cloud has undergone independent audit to achieve HDS certification |
| LGPD (Brazil) |
Aligned with GDPR principles |
Best Practices
| Practice |
Reason |
| Always use the subjects endpoint first |
Identify exact individuals before submitting a modification or deletion request |
| Submit a request per identifier |
If the person has a name, phone, and email — submit three separate requests |
| Associate ACD interactions with External Contact profiles |
Required for GDPR API to locate file attachments |
| Do not store PII in flow names or prompt values |
GDPR API cannot search these |
| Do not use GDPR API for bulk deletion |
Rate limits will restrict bulk operations — use the API for individual requests only |
| Contact [email protected] for DPA |
Required under GDPR Article 28 for organizations subject to GDPR |
Key Takeaways
| Topic |
Summary |
| Genesys role |
Data Processor — you are the Data Controller |
| GDPR API |
Preferred self-service solution for responding to data subject requests |
| Two endpoints |
Subjects (identify who) → Requests (initiate the action) |
| Request types |
Export (Article 15) · Update (Article 16) · Delete (Article 17) |
| Delete behavior |
Some services anonymize rather than fully delete |
| Processing |
Asynchronous |
| Rate limits |
Designed for individual requests only — not bulk operations |
| No UI |
GDPR API is developer/API-based — no Admin UI page |
| CCPA |
Same GDPR API handles CCPA requests |
| Timeframes |
Access: 1–2 days; Removal: up to 14 days |
